Threat Watch

Backdoor Attack Allows Threat Actors to Access PHP Respository’s User Database

At the end of March, the server was believed to be compromised when a malicious source code update was pushed, adding a backdoor to PHP itself. However, an investigation revealed that that the commits were pushed using HTTPS, rather than the usual SSH certificate-based authentication, and used existing users’ passwords that had apparently been compromised from another source. “It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don’t have any specific evidence for this, a possible explanation is that the user database of has been leaked, although it is unclear why the attacker would need to guess usernames in that case,” stated Nikita Popov.


Since the compromise, it was brought to light that the authentication system was being run on an old OS with weak TLS ciphers and it used an old version of PHP, so there is a chance the attack started by the threat actors taking advantage of an unpatched vulnerability. Fortunately, everything has been moved to a new main system and all users have had their passwords forcibly reset. Instead of passwords being stored as weak MD5 hashes that are easy to crack, they will all now be stored as industry-standard bcrypt hashes.